Overview

The Balancer Labs team was recently notified of a potentially exploitable Denial of Service (DoS) scenario thanks to a benevolent hacker who properly disclosed the vulnerability through Immunefi. We want to stress that user funds are not at risk; the DoS would transfer these tokens out of the Vault and into the ProtocolFeesCollector which is controlled by Balancer governance. The scenario in question involves double entry-point ERC20 tokens, including but not limited to Synthetix tokens (e.g., SNX and sBTC), and Balancer Flash loans.

Definition

• Proxy Architecture Pattern: This, in the context of ERC20 tokens, is a token composed of two parts: a proxy and a target. In general, users only need to think about the proxy; it is all that they need to use to send, swap, or stake their token. Under the hood, however, the proxy points to a target contract that implements underlying logic and can be replaced in order to upgrade token behavior. These are explained in depth here.
• Double Entry-Point ERC20 Token: This is an ERC20 with a Proxy Architecture Pattern that allows users (and contracts) to interact directly with the target contract, skipping the proxy. Since it is possible to interact with both the proxy and the target directly, the token has two entry-points.

Vulnerability Brief

If a user executes a Balancer Flash loan for both entry-points of the same token in descending amounts and immediately repays it, the repayment of the loan will be interpreted as an excess of tokens at the second entry-point and the Vault will therefore send the difference to the ProtocolFeesCollector. This can leave a pool in a state of thinking it has more tokens than it does, resulting in failed transactions on swaps and pool exits.

Fortunately, Balancer governance controls access to the ProtocolFeesCollector, so there is nothing an attacker can do with these funds after they are sent to the contract. All they can do is temporarily deny access to these funds for any pools containing the relevant tokens.

Currently, the only known double entry-point tokens included in Balancer pools are SNX and sBTC on Ethereum mainnet. The main pools that are affected by this vulnerability are:

• SNX/WETH: https://app.balancer.fi/#/pool/0x072f14b85add63488ddad88f855fda4a99d6ac9b000200000000000000000027
• wBTC/renBTC/sBTC: https://app.balancer.fi/#/pool/0xfeadd389a5c427952d8fdb8057d6c8ba1156cc56000000000000000000000066

Mitigation

We will take the following action(s):

1. Revoke all outstanding permissions on withdrawing funds from the ProtocolFeesCollector so that not even a previously approved entity can access the tokens in question.
2. Execute a transaction, as described in the bug report, to transfer sBTC and SNX tokens from the Vault to the ProtocolFeesCollector and thereby pause certain operations within the relevant pools. This mitigates risk of unknown attack vectors that might exist by placing funds under control of governance. Funds will be inaccessible for a short time during this process; we currently estimate about a week.
3. Deploy a relayer contract that allows any owner of the relevant pools’ BPT to atomically withdraw funds from the ProtocolFeesCollector to the Vault and exit the pool proportionally. This procedure will have to be executed by each LP individually but will ensure that all LPs are made whole. This relayer will be developed by Balancer Labs but, like all relayers, must be approved by Balancer governance before going live.

As a possible alternative to step 3, we are speaking with the Synthetix team about upgrading their token implementation contracts. If they are able to successfully remove the second entry-point, the token contracts could be upgraded in place and the tokens returned to the Vault without any intervention required from LPs.

This is everything we know now and we will provide timely updates if there are any important changes.

All SNX and sBTC held by the Vault has been transferred to the ProtocolFeeCollector in this transaction: Ethereum Transaction Hash (Txhash) Details | Etherscan

Note that this is not a normal operation - it is typically impossible for funds to be transferred in this manner. The transaction above triggers the issue in the associated Synthetix tokens to forcelly send them to the FeeCollector, an extremely simple contract where we are certain the tokens are safe regardless of their double-entrypoint nature, and controlled solely by Balancer Governance.

As of that transaction, attemps to withdraw SNX or sBTC from the Vault will temporarily fail, until the situation is fully addressed.

Hey there. Matt from Synthetix here. Just providing an update from our side

Regarding the possible alternative to Step 3:

As a possible alternative to step 3, we are speaking with the Synthetix team about upgrading their token implementation contracts. If they are able to successfully remove the second entry-point, the token contracts could be upgraded in place and the tokens returned to the Vault without any intervention required from LPs.

Synthetix is planning on upgrading our token implementation contracts early next week to remove the double entry point and allow for tokens to be returned to the vaults without any intervention from LPs. We’ll update the Balancer community once the release is complete.

Thanks!

i noticed that this bug doesn’t fix it yet. is there any plan to fix it?

I’m stuck too… and I would love to be able to use my wBTC again…

Hey, Balancer community! Another update from the Synthetix side.

We’ve been delayed in upgrading the token implementation, and our fixes will require more work on the dev side, plus an audit.

Currently, this fix is at least two weeks away, but I will update the Balancer community as updates come in and we are closer to a fix.

One update on the above - Balancer has launched on Optimism, and the same bug is present on Balancers Optimism instance.

Synthetix is planning a release in the next week to remedy this bug on both Optimism and Mainnet. I’ll post once that is complete. Thanks again!

As Matt mentioned, the recent Optimism deployment is affected as well by this.

We’ve performed the same mitigations as in the L1, resulting in the tokens being moved to the ProtocolFeeCollector. The ProtocolFeeWithdrawer already existed in that network, so we added the 4 tokens (SNX, sUSD and their alternate entrypoints) to the denylist, meaning they cannot be withdrawn from the collector.

Synthetix has completed the release that only allows token transfers via proxies for SNX and all synths. We’ve completed all required items from the Synthetix side to re-enable exchanging on Balancer.

Read more about the release - The Saiph Release.

Thanks for being very patient, and we’re excited to work with Balancer on both mainnet and Optimism!

After the proposal passed, the tokens were transferred back into the Vault, restoring normal operation.